PCI Requirement 9.6 – Maintain Strict Control Over the Internal or External Distribution of Any Kind of Media

by Randy Bartels / January 31st, 2018

Distribution of Media

If your organization does not have policies and procedures in place to control the distribution of media, cardholder data could be lost, stolen, or used for fraudulent or malicious behavior. PCI Requirement 9.6 requires, “Maintain strict control over the internal or external distribution of any kind of media.” These controls could should cover:

  • Classifying media based on sensitivity and is easily discernible.
  • Sending media through a secured, trackable delivery method only.
  • Management approval when media is distributed, even if it’s to an internal individual.

To assess compliance with PCI Requirement 9.6, an assessor needs to review your organization’s policies and procedures regarding the distribution of media.

PCI Requirement 9.6 requires that you have access controls in place to ensure that you’re controlling the distribution of media. This might include, from an assessment perspective, role-based access controls that define who physically gets access to it. We’re going to look for controls around how the media is distributed and who it is distributed to. PCI Requirement 9.6 has several subsequent requirements underneath it, so go ahead and watch our next few videos on those and let us know if you have any questions.